Responsible disclosure.

We build security tools — so we take ours seriously. If you find a vulnerability affecting ERK, our infrastructure, or our customers, we want to hear about it.

How to report

Email security@erksecurity.com with:

• A clear description of the issue
• Steps to reproduce (proof of concept welcome)
• Affected URL, endpoint, or component
• Your assessment of impact

Encrypt sensitive details if you wish. PGP key available on request. See also /.well-known/security.txt.

Our commitment

• We acknowledge reports within 2 business days.
• We work with you in good faith to validate and remediate.
• We will not pursue legal action against researchers acting in good faith.
• With permission, we credit you publicly when the issue is resolved.

Scope

In scope:

• erksecurity.com and all subdomains
• The ERK admin console
• Any service we host or operate on customers' behalf (with their consent)

Out of scope:

• Third-party services (Supabase, Cloudflare, Vercel, etc.) — report to the vendor
• Social engineering, physical attacks, denial of service
• Automated scanner output without manual verification

Safe harbor

Good-faith research under this policy is authorized. Do not access data you do not need, do not degrade service, and do not disclose publicly before we have had a reasonable time to fix the issue.